PYMNTS.com published an insightful analysis earlier this year around the trends in Apple Pay adoption and estimates that after 2.5 years Apple Pay accounts for only 1/10th of a percent of retail spend.

I’ll go on record and say I’m actually impressed with the security features of Apple Pay and most concerns from users are misplaced.

With that said, the underlying transaction security relies on the same standards as EMV chip cards and the onboarding process for Apple Pay creates an avenue for counterfeiting that EMV cards were specifically designed to prevent.

The extra layer of fingerprint security helps with lost/stolen fraud but consumers are also learning that the fingerprint sensors on their phones are not as secure as they thought.

A recent NY Times article highlights the work of researches who were able to fool fingerprint sensors with a set of fingerprints with “common” traits.

I’ve seen the movie Avatar and I can tell you that computer generated images can be pretty darn realistic. It’s not that difficult to start with a still image from a Facebook post and animate it enough to fool a biometrics app.

It might be more difficult to get an image of someone’s eyes, but is it really that hard? How many close up selfies get posted every year?

There have also been several large data breaches that contained fingerprint information, so even that data might not be safe.

As someone who has looked deeply into chip card technology, I found myself a little annoyed at the recent articles that a “flaw” in EMV chip cards had been demonstrated at a recent hackers conference in Las Vegas.

Despite what some news outlets reported, the hackers only demonstrated that they could hack one brand of card reader and in some cases intercept unencrypted card data.

Stay away from magnetic stripes!

The demonstration does show that if a store card reader has been compromised, your data can still be at risk. The most common attacks try to get you to “fall back” from using the chip and swiping the card instead.

If you ever insert your chip card into a reader and it asks you to swipe the card instead, the reader may have been hacked. Better to just pay with cash if you can.

Watch for fake pin entry screens

Another hack that was demonstrated was the ability to show a fake debit card pin entry screen on a compromised store card reader.

They managed to add an extra screen in the payment flow that asked a customer to re-enter their pin # a second time. Most people they asked to try it assumed they had mistyped their pin the first time and re-entered the data in the fake screen.

This hack might be difficult to spot since we all mistype our pin codes occasionally.

Might be better to ask the clerk to start over instead of using a re-entry screen when this happens. If that second screen keeps coming up, there could be a problem with the store reader.

Could there be a flaw in the EMV chip?

If there were a flaw in the EMV chip itself I think someone would have found it in the 15 years since chip cards were first introduced in Europe.

From everything we know right now, there is no practical way to hack into a chip card and revel its hidden security keys.

In 25 years or so, some researches think that a new type of computer utilizing quantum computing power could potentially break the security keys in EMV chips and all of the security used to protect websites on the internet.

A few weeks ago my mom asked me which anti-virus software she should buy for her home PC. Being a good son, I spent a bit of time looking at independent lab reviews of the most popular products available so I could give an informed answer.

A couple of days later, news broke that a Google research team had uncovered serious flaws in Symantec Antivirus and it looks like millions of customers are at risk of having those flaws exploited.

I went back and re-read the anti-virus reviews after the Symantec story broke and one thing that caught my eye was how well the software detected previously unknown viruses.

Symantec was one of the best and scored above 95% at detecting previously unknown attacks. Usually, these viruses are just slight modifications of a known threat so you’d expect the software to catch it.

But, the really dangerous stuff is when an entirely new area is attacked and the anti-virus software isn’t even looking for it.

This is why the story about Symantec is so troubling. Not only have the flaws been around for years but no one was even looking for them.

Symantec couldn’t detect its own flaws and since no one runs more than one anti-virus program on their computer, there’s no way for another program to spot them.

Twitter Hack an “Unknown” Virus?

Last month, news broke that 32 million Twitter account passwords were leaked. At first, most people assumed it was another company data breach, but Twitter strongly denied that.

A closer look at the leaked passwords revealed they were most likely stolen from 32 million computers compromised with a computer virus.

Yikes! So, there might be a virus out there that has infected 32 million computers and it’s still on our “Unknown” list?

At Least Protect Your Payments!

We live in a world where millions of computers are already compromised and anti-virus software may or may not detect new threats.

I’ve had many people ask me why we built a hardware device to protect payment information. “Why don’t you just write a software program, or a mobile app?” is a common question.

If Amazon can build hardware buttons to order diapers and cat litter, we think that a dedicated device to encrypt your payments is a pretty good idea.

I sometimes hear surprised reactions when I tell people that our product focus is on desktop e-commerce.

Many people are convinced that mobile e-commerce accounts for more than desktop and that desktop is rapidly dropping to zero.

Actually, almost 80% of e-commerce transactions are made from the desktop and it’s growing by $10 billion / year.

If you’ve ever tried to type in your credit card on a mobile device it’s not hard to see why.

Didn’t I hear that mobile is 60% of all commerce?

There were a lot of headlines around the rapid growth of mobile commerce during the 2015 holiday season.

Most of the buzz came from a comScore report for the 2015 Nov-Dec holiday season that showed mobile commerce growing by 60% from the previous holiday to a total of $12.6 billion.

Desktop e-commerce only grew by 6% to $56.4 billion in the same period.

The percentage growth is a bit misleading (but makes good headlines) because mobile started from a much smaller number.

If you look at the raw dollar amounts for the period, desktop grew by $3.1 billion and mobile grew by $4.7 billion. Still good, but doesn’t seem quite as impressive looking at the raw numbers.

Mobile Retail or E-commerce?

This news that mobile grew 60% got a lot of people to draw hockey stick graphs and jump to the conclusion that mobile e-commerce would overtake desktop in a few years’ time.

But, one thing that can be misleading about mobile commerce is that it is comprised of both e-commerce (buying goods/services online) and in-store retail like the Starbucks app being used to buy an overpriced latte.

In the same 2 month holiday period last year, about $1.2 billion of “mobile commerce” was from the Starbucks app, and another $1.3 billion was from Apple Pay at places like McDonalds and Whole Foods.

Should we be Excited about the Starbucks app?

Not that I have anything against Starbucks, but I wonder if we should really be including the Starbucks app when we look at the growth of mobile commerce, and using it to make predictions about the future of commerce.

If we didn’t use their app, we would probably still buy the same coffee, at the same store. Maybe people buy a couple percent more coffee than they used to, but how much has commerce really grown or changed because of it?

Breaking down Mobile Retail and Mobile E-commerce.

A recent survey of Apple Pay users from Phoenix Marketing International showed that 62% of Apple Pay transactions happen in a retail store and the other 38% were for e-commerce.

It’s hard to get an accurate breakdown of the types of mobile commerce, but my best estimate is that only half of the $12.6 billion reported for mobile commerce last holiday season was actually e-commerce.

If desktop e-commerce was $56.4 billion, and mobile e-commerce is closer to $6.3 billion, 80% of e-commerce is still coming from the desktop.

Mobile will catch up some day, but I think we are at least 10 years from mobile breaking even with desktop for e-commerce.

Maybe using Chip Shield to enter payment details into your favorite mobile apps will help to speed up the process!

With the launch of Apple Pay in 2014, banks and merchants were told they were getting a system that would help prevent fraud by requiring fingerprint authentication and providing better security than plastic credit cards.

Apple used this promise to elicit revenue sharing from merchants and banks that supported their system.

What actually happened?

Within 6 months of Apple Pay’s release, rampant fraud had been reported from banks and retail stores supporting Apple Pay, and for some banks, the fraud rates reached 60 times higher than traditional plastic cards.

Ironically, one of the hardest hit retailers were Apple stores themselves.

The problem wasn’t with the encryption or fingerprint security, but the fact that adding stolen cards into Apple Pay was too easy.

Banks want to make it easy to add their cards to the system and Apple prides itself on easy to use products and services.

Apple added neat features like being able to take a picture of your credit card. So, fraudsters used paint programs to create images of stolen cards and took pictures of the print-outs.

Apple wanted to make it easier for customers who already had their credit card on file with iTunes. So, fraudsters added stolen cards to iTunes, ran a couple small transactions that wouldn’t be noticed, and then bypassed most of the security checks when adding the cards to Apple Pay.

Banks wanted friendly support groups to help with the process of on-boarding cards. The support people were so friendly; they even helped activate stolen cards.

Who’s to Blame?

Apple has pointed at the banks for any problems approving stolen cards, but in the end, they created a system with a major security hole and left the banks to pay millions of dollars to cover fraud losses.

I’d love to be a fly on the wall while Apple tries to get reimbursed for losses at their own stores for accepting Apple Pay.

One thing that Apple Pay fraud has shined a light on is the fact that bank’s security verification questions are often woefully inadequate for determining who actually owns a credit card.

The “gold standard” for some banks to verify cardholder identity was to ask for the last 4 digits of your social security number. Unfortunately, criminals have access to huge databases of security information stolen from previous data breaches.

For a criminal, searching for the last 4 digits of your SSN is about as difficult as finding a bad picture of you on Facebook.

Apple Pay vs. Chip Cards

If you’re a merchant, accepting Apple Pay might sound cool, but it doesn’t look like its promise of reducing fraud will ever be as strong as chip based cards.

Chip cards were specifically designed to prevent counterfeiting, whereas Apple Pay looks to be a counterfeiter’s dream.

Banks have been forced to put up higher and higher walls to prevent stolen cards being added. It’s still fairly easy too add a card if your phone is already linked to your bank account, but adding cards to tablets and phones with new numbers requires extra verification steps.

One way to streamline the process is to verify the customer’s card with a product like Chip Shield. It reads the payment information directly from the chip card and validates that the card is legitimate. If a card was added to a mobile wallet using Chip Shield the risk of fraud at merchants would be greatly reduced.

Maybe Apple Pay + Chip Shield could live up to the promise of reducing fraud for merchants.

As I’ve been out and about talking to people about our solution to protect credit card numbers, the topic of protecting social security numbers has come up several times.

The recent spike in tax fraud and the theft of millions of government employee records has given the problem of social security number theft a new urgency.

When I was first asked about this, I joked that I’d tackle that one with my next company. But after a while, I started thinking about what was wrong with social security numbers, what a mess we’ve gotten ourselves into by relying on them, and how it could be fixed.

We’ve all known for quite some time that credit card numbers are too easy to steal, and that motivated hackers and thieves were finding countless ways to break into systems and grab that information.

The only relatively good thing is that a credit card number can be replaced. It’s a hassle and it’s costly to banks and merchants, but we’ve all cycled through enough cards to know that it’s not the end of the world.

Social Security Numbers are a nightmare by comparison. As far as the government is concerned, and credit agencies, and insurance companies, and employers, this one number is your identity.

Yeah, a New Social Security Number

The government has a process to replace your social security number if it’s stolen, and it’s relatively straight forward. It requires proving your identity with supporting documentation and then filing out some paperwork.

Assuming you can prove who you are (in person or through a notary), you’ll have a new number in a couple of weeks.

Ok, so you’ve got a new number. Now what?

Have you been keeping track of which organizations track you buy your social security number? Do you know how many of these places have a process in place to update your number, and what type of documentation they require to make this type of change?

And once it’s updated, tomorrow’s data breach is just going to use your new number to steal your identity, and the cycle starts over…

SSN Requests like Payments

Part of the solution is to start thinking of social security numbers in a different way than we’re used to. Instead of thinking that the number itself is important, we should think about the transactions that we allow people to do with this number.

With a credit card purchase, you want to give a specific merchant permission to make an approved funds request from your bank.

With your SSN, you want to give a merchant or agency permission to make an identity request from the government, for a specific purpose.

You might give someone permission to access information about you, like your credit report, your tax return, or your medical records. Or you might give permission to report about you, such as your wages or loan payment status.

When you give permission to make an identity request, you want to be sure that the request can only be made by the person you approve, and it can’t later be stolen and used by someone else to falsely identify themselves as you.

For example, if I give permission to Bob’s Used Cars to check my credit report one time when I apply for a loan. Bob should not be able to file my tax return.

For the same reason that generating dynamic card numbers for each merchant prevents credit card theft, a similar approach could generate a “Virtual Social Security Number” for each one-time request.

The government in this case acts like a bank, generating temporary numbers and approving these requests.

If a request is made from a different person, or for a different purpose, it is blocked. So Bob can approve my loan, but not file my tax return.

The Wheels on the Bus

All of this is an interesting thought exercise, but it would take a monumental effort for the government, credit agencies and thousands of merchants and lenders to change their process in such a significant manner.

But, we might be close to a point where the wheels are about to fall off the bus, and the Chip Shield (Social Security Edition) might be just the thing we all need to get the bus on the road again.

As if the headline that card fraud losses had reached $16.3 billion was not scary enough, the report goes on to predict that by 2020, losses will grow above $35 billion annually, with $183 billion being lost in between.

The U.S. accounts for about 50% of the losses each year, even though we represent only 20% of transactions (Yeah, we’re number one).

I suppose at some level, if you look at the huge amounts of revenue US banks bring in from credit cards (more than $500 billion), then look at the $8 billion or so lost to card fraud, it can look like just a drop in the bucket.

In the real world, $8 billion is a staggering amount of money to be lost every year. This is a train wreck, a house fire, a travesty… you get the idea. The worst part is that it’s not even close to the actual amount being lost.

What is the Real Cost of Fraud?

One problem with any study of losses due to fraud is that they often understate indirect costs related to the problem, such as the cost of prevention, and the cost of cleanup after the fact.

An interesting yearly study from LexisNexis tries to pinpoint this multiplier effect for merchants, and recently found that for every dollar in direct fraud losses, the true cost is closer to $3.08.

So, if the actual losses in the U.S. are 2-3 times higher than the reported losses, does this mean that what currently looks like an $8 billion tax on our commerce system is on its way to grow into a $35 billion catastrophe?

This doesn’t even count the fraud that’s not reported, re-classified, or otherwise swept under the rug to avoid admitting security problems. And don’t forget about the cost incurred by consumers spending endless hours dealing with fraud on their own accounts.

I’m bringing in the thesaurus now to come up with more words to describe this calamity of cataclysmic proportions.

Who Pays for Fraud?

While I was at a banking conference last month, I sat in on a session where I heard an executive say to the audience, “People outside the industry just aren’t informed. They don’t have to pay for fraud. The banks cover all the costs.”

That comment got me thinking about who really pays for fraud.

Of course, the answer is that we all pay for it, and banks and merchants do a good job of hiding the cost in the form of higher fees, or higher prices.

When someone at a bank says that fraud is just the cost of doing business, it means that they have passed that cost onto someone else, namely their customers, and haven’t lost much business.

To bring the problem home a little more, if you take the $35 billion in real cost for fraud, and divide it by the 100 million or so households in the US, we’ll all soon be paying $350/year to cover up this problem.

Yikes! If I have to pay $30 each month for something, I should at least get a free tee shirt or something. Maybe we’ll all get bumper stickers that say “My credit card fees help support organized crime!”

Our company and our products have been in “stealth mode” for the past year and a half as we designed and built the Chip Shield device, implemented back end servers and client libraries to support the devices, and built our web sites and mobile apps.

After all these months of secrecy, we’re finally ready to announce our product, and share information about what we do, and how we do it.

So, I thought I would use this blog post to talk about why we’re doing this, and how we started working to solve the problem of credit card theft and fraud.

The Pervasive Problem of Fraud

When we first started thinking about the problem of credit card fraud the Target data breach was still in the news, and the Home Depot story was just breaking. It felt like everywhere you looked you would hear reports of fraud, data breaches, identity theft and organized crime.

We started to feel the personal effects of card theft with bank notices and cards being replaced. My wife and I had 3 cards replaced in just a few months, and then later received a friendly notice that our personal information had been lost in the Anthem data breach.

It wasn’t only us. It was our friends, our families, and it was starting to impact virtually everyone. Just this week my dad had another card replaced.

Not long ago, Gallup asked Americans about their biggest crime fears and 85% of wealthier households listed credit card theft as their largest fear.

Also, more than 25% of the people surveyed reported that a family member had their credit card stolen by computer hackers in the past year.

A more recent survey from MasterCard shows a similar level of anxiety, and amusingly 55% of the people surveyed would rather have nude photos of themselves leaked online than have to deal with the theft of their financial information.

My mom, who is in her mid-70’s and lives on her own, woke up one fine morning to learn that her checking account had been hacked into and more than $1,700 had disappeared in a few hours.

Our family spent the next few weeks trying to unravel the source of the hacked account as it played out a bit like a murder mystery.

Was it because my mom had used the same password for years?

Was it because, like many people, she used the same password for all sorts of accounts?

Was it the sheet of paper on her desk with her passwords written on it?

Was it a virus, later discovered on her computer that had logged keystrokes and sent them to a website in a distant country?

Was it the new housekeeper that had recently started working for my mom, who seemed a bit too chatty? Did she find the sheet of paper? Did she install the virus?

Was it my sister, or me, who took the money, since we both had our own login/passwords to the account?

Were our accounts with the same bank at risk?

Collateral Damage

The worst part of a computer hack is the side effects it can have on people’s lives, and the paranoia it can create around things and people you used to trust.

In hindsight, everything feels like an overreaction, but at the time, my mom was not sure who to blame.

The housekeeper, of course, had to be replaced, because it could have been her.

The computer, of course, had to be replaced, because it could no longer be trusted.

Online banking, of course, had to be permanently disabled and only paper statements used for the accounts.

Other online accounts, of course, had to have new, crazy long passwords created, since they could have been hacked also.

The little piece of paper with all my mom’s passwords on it now had to be written in code, with only hints at what each crazy long password might be. Of course, we could never remember what the codes meant.

The Bank Handles Everything

I’m sure the folks at the bank do their best trying to fix these issues, but it can be a mess to clean up.

The accounts all had to be closed and re-opened, which was done incorrectly, so they had to be closed and re-opened again, with the process taking more than a week.

The replacement funds had to be deposited into the account, and went into the wrong account, and had to be done again, which took another few days.

All the while, checks written to pay utility bills were merrily bouncing and triggering fees from those companies.

Then, somewhere along the way, the bank decided that the hack had actually come from my sister’s login (although they offered no reason except “its technical”), so they held back part of the funds and re-opened a fraud investigation under my sister’s name.

My poor sister had to endure 90 minutes of what she termed an “interrogation” by the bank because someone in the fraud group decided she was stealing our mom’s money.

Did They Get Away with It?

Of course they got away with it. The hackers are long gone with the funds and probably working on their next victims.

Our bank told us that the funds were drained through fake PayPal accounts, but PayPal wouldn’t provide them any information about where the money ended up.

PayPal had no reason to pursue the matter because they weren’t the ones who had to reimburse the stolen funds.

The police also had no interest in tracking down a small theft that would cost them thousands to pursue, with likely no results.

Son, Just Fix It!

While all of this was unfolding, my mom also had a credit card replaced (she thinks because of the Target hack).

So, my mom told me to just fix these problems, like I had fixed the VCR when I was 10 or the hair dryer when I was 12.